Nextcloud Introducing Native Integrated End-to-end Encryption

Why does CalDAV and CardDav get disabled with this enabled? Is that by design?

Yeah, it is hard, I know. However, it makes very much sense considering that this is possibly the most private data on many systems. I would lose the browser integration, okay, no problem, I don’t need all my contacts in my browser. Same with calender… Having it optional assures that I have the choice to enable it or disable it.
You would need integration into DavDroid, GNOME, etc. That could be hard. But you could also make your own apps for it. You do not need a calender app, just an app decrypting everything and putting it into the system calendar and vice versa. So a webdav app with an additional e2e crypto built-in.


They are? Or you mean if you would end-to-end encrypt them? The CalDAV and CardDAV standards have no support for end-to-end encryption so you would lose them, yeah, if you would try to encrypt them. That is, any app that speaks CalDAV and CardDAV can’t speak the new encrypted protocol so they wouldn’t work. You can’t sent invitations or receive them from others outside the apps and people that have it supported. I think this feature would have VERY little value, to be honest, except for a very small number of people.

Yeah, with a lot of work it would be usable for a limited set of use cases. I don’t see it become an important, prominent feature, ever - it isn’t something 95% of users could/would use. Even the end-to-end encryption is only really useful for a subset of users, who typically would only use it for one or a few folders. Though our design, I think, makes it so easy it could be used by well over half our users some day.

I think he misunderstood that the end-to-end encryption is optionally and only applicable to folders on the storage, whereas I think that the CalDAV and CardDAV data lives in the database, don’t they.

I mean that CalDAV and CardDAV immediately do not work when the E2EE is enabled for my nextcloud.

My calendar errors out and cannot connect to the server.

As soon as I disable E2EE they connect and sync again fine.

With regard to their encryption, I could not disagree more. I believe its a challenge and not easy for sure, but in the age of GDPR, it is not something that should be dismissed so readily. Nor is a matter of what users ‘want’, its about what GDPR states in relation to keeping customer data safe.

@budy no misunderstanding here, just stating a fact in my case; CalDAV and CardDAV no longer sync with E2EE enabled.

Not the only one to have the effect either -> Nextcloud 12.03 End to End Encryption Testing?

Well… on the page for the server app it states this:

This app provides all the necessary APIs to implement end-to-end encryption on the client side. Additionally it make sure that end-to-end encrypted files are not accessible with the web interface and other WebDAV clients.

From that description it shouldn’t encrypt anythig else, than selected folders on you account - it may be a bug of some kind.

No mention of CalDAV or CardDAV at all then, so an alpha ‘feature’

Ich möchte nicht mehr Kontaktiert werden

@jospoortvliet ! have created a github issue on the assumption this is a bug.

1 Like


Will we see the .msi package for Windows Client? :slight_smile:
It’s very important to maintance the client with AD environments :slight_smile:

1 Like

Very great news :slight_smile:
A colleague spoke to me about the concept of “privacy by design”.
It is very interesting that only user can access its data.
Thanks a lot
When do you think it will be included by default ?

the caldav & carddav disabling is a bug, that shouldn’t happen. @bjoern should probably know about this?!?

I don’t know but if we create that it would probably be only for paying customers. Seems like a feature only really relevant for companies with larger number of users. If you need it and are a customer, contact sales/your account manager and ask about this!

Really awesome!
But files are not the only thing to encrypt: The next step should be to add e2e encryption to contacts and calendar, too! This also very private data…

I agree with rugk: Contacs & calendar, etc. are essential informations that should be enycrypted.
What about encrypting the database used by NC where these informations are stored? Is there a way to encrypt the complete databas (mysql, sqlite,…)?


1 Like

Yes, I’m aware of it. @mannp already created a bug report and there is already a fix waiting for review.

As soon as CardDAV/CalDAV supports it we can think about it. Encrypting it server side adds a lot of complexity, increases the risk for additional bugs and doesn’t provide a significant security improvement.

1 Like

Does the bug bounty program also apply to E2EE? Because of the importance and severity of this part of Nextcloud it should apply here as well. Maybe even more so than for everything else (which doesn’t mean other parts aren’t important too!), so upgrading the awards in this case money-wise wouldn’t be a bad idea. :wink:

I think a special competition (“Try to crack our client side encryption if you can!”) would be a good idea for this purpose too. Tresorit did this some time ago for example.


It would apply once this is final and part of Nc 13, yeah. And - good idea. @LukasReschke just a thought :wink:

Not sure if this is the right place to ask but nevertheless:
This nice gif shows the nextcloud android app in which it is possible to encrypt data. Which version is it? I wanted to test this feature. Therefor I set up a new nextcloud 12.0.3 installation and manually copied the end-to-end encryption app to the app folder. I tried the latest android app from here on my android phone, but I can’t see the possibility to encrypt a folder. Is the feature deactivated?

Thanks a lot for your answer!